Hooking frameworks & inline hooks
Hooking intercepts your app's functions to permanently change behaviour — whether framework-based or via inline hooks that rewrite a function's prologue.
What it is
Frameworks like Xposed, LSPosed, Riru, Zygisk and Substrate inject modules into the process to intercept methods, while inline (trampoline) hooks rewrite the first bytes of a function to divert execution.
How attackers use it
Attackers use hooking to forge check results, bypass ads or payments, manipulate game logic, or intercept data.
How Appsolid detects it
Hooking-framework detection
Detects hooking injectors (Xposed, LSPosed, Riru, Zygisk, Substrate) mapped into the process address space.
Inline-hook detection
Inspects libc function prologues for trampoline hooks (Frida, Dobby, Substrate) and, on detection, reports a HOOK event and exits (arm64).
Honest scope: Inline-hook detection runs on arm64 and is opt-in. Every check inspects only its own process.